mustard/ansible-playbooks
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tasklist debugging

Browse source
This commit is contained in:
mustard 2025-03-04 00:37:43 +01:00
parent 49952e4195
commit a42758a8be
4 changed files with 283 additions and 287 deletions
Download patch file Download diff file Expand all files Collapse all files

57
roles/baseline/tasks/main.yaml
View file

@ -1,30 +1,29 @@
tasks:
- name: Kill debug-shell service
- name: Kill debug-shell service
ansible.builtin.systemd_service:
name: debug-shell.service
masked: true
- name: Kill kdump service
- name: Kill kdump service
ansible.builtin.systemd_service:
name: kdump.service
masked: true
- name: Set umask to 077
- name: Set umask to 077
shell: umask 077
- name: Set umask to 077 in login.defs
- name: Set umask to 077 in login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^UMASK.*'
replace: 'UMASK 077'
when: umask_changes == true
- name: Set umask to 077 in logins.defs
- name: Set umask to 077 in logins.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^HOME_MODE'
replace: '#HOME_MODE'
when: umask_changes == true
- name: Set umask to 077 in bashrc
- name: Set umask to 077 in bashrc
ansible.builtin.replace:
path: /etc/bashrc
regexp: 'umask 022'
@ -32,7 +31,7 @@ tasks:
when: umask_changes == true
- name: Make home directory private
- name: Make home directory private
ansible.builtin.file:
path: /home/*
state: directory
@ -40,7 +39,7 @@ tasks:
mode: '0700'
when: umask_changes == true
- name: Harden SSH, add kernel blacklist and hardening
- name: Harden SSH, add kernel blacklist and hardening
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
@ -51,40 +50,40 @@ tasks:
- 'etc/sysctl.d/99-workstation.conf'
- name: Reload sysctl
- name: Reload sysctl
shell: 'sysctl -p'
- name: Create coredump.conf.d
- name: Create coredump.conf.d
ansible.builtin.file:
path: '/etc/systemd/coredump.conf.d'
state: 'directory'
mode: '0755'
- name: Make locks dir for dconf
- name: Make locks dir for dconf
ansible.builtin.file:
path: '/etc/dconf/db/local.d/locks'
state: 'directory'
mode: '0755'
- name: Create XDG portals directory
- name: Create XDG portals directory
ansible.builtin.file:
path: '/etc/xdg-desktop-portal'
state: 'directory'
mode: '0755'
- name: Create /etc/systemd/system/NetworkManager.service.d
- name: Create /etc/systemd/system/NetworkManager.service.d
ansible.builtin.file:
path: '/etc/systemd/system/NetworkManager.service.d'
state: 'directory'
mode: '0755'
when: manage_network == true
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: 'etc/systemd/system/NetworkManager.service.d/99-brace.conf'
dest: '/etc/systemd/system/NetworkManager.service.d/99-brace.conf'
mode: '0644'
when: manage_network == true
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
- name: Copy dconf files + xdg-desktop-portals fix + Network manager
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
@ -95,10 +94,10 @@ tasks:
- 'etc/dconf/db/local.d/locks/privacy'
- 'etc/dconf/db/local.d/privacy'
- name: Update dconf
- name: Update dconf
shell: sudo dconf update
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
ansible.builtin.copy:
src: '{{ item }}'
dest: '/{{ item }}'
@ -109,50 +108,50 @@ tasks:
- 'etc/systemd/user/update-user-flatpaks.timer'
- 'etc/environment'
- name: Drop flathub script to homedir for any new appvms created based on this template
- name: Drop flathub script to homedir for any new appvms created based on this template
ansible.builtin.copy:
src: 'etc/skel/flathub.sh'
dest: '/etc/skel/flathub.sh'
mode: '0700'
- name: Upgrade all packages
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Mark packages as manually installed to avoid removal
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Enable hardened_malloc COPR
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
- name: Install hardened_malloc
- name: Install hardened_malloc
ansible.builtin.dnf5:
name: 'hardened_malloc'
state: 'present'
- name: Enable hardened_malloc
- name: Enable hardened_malloc
ansible.builtin.copy:
src: 'etc/ld.so.preload'
dest: '/etc/ld.so.preload'
mode: '0644'
- name: Enable hardened_malloc for system wide flatpak
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM
shell: 'flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
- name: Setup dnf repos
- name: Setup dnf repos
ansible.builtin.copy:
src: 'etc/dnf/dnf.conf'
dest: '/etc/dnf/dnf.conf'
mode: '0644'
- name: Get list of files
- name: Get list of files
ansible.builtin.find:
paths: /etc/yum.repos.d/
recurse: true
register: found_files
- name: Replace text in those files
- name: Replace text in those files
ansible.builtin.lineinfile:
backup: true
backrefs: true

11
roles/gnome/tasks/main.yaml
View file

@ -1,17 +1,16 @@
tasks:
- name: Fix GNOME environment variable
- name: Fix GNOME environment variable
ansible.builtin.lineinfile:
dest: '/etc/environment'
line: 'XDG_CURRENT_DESKTOP=GNOME'
- name: Upgrade all packages
- name: Upgrade all packages
ansible.builtin.dnf5:
name: "*"
state: latest
- name: Mark packages as manually installed to avoid removal
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Remove unnecessary stuff from the template
- name: Remove unnecessary stuff from the template
ansible.builtin.dnf5:
name:
- '@Container Management'
@ -79,7 +78,7 @@ tasks:
allowerasing: true
autoremove: true
- name: Install custom packages
- name: Install custom packages
ansible.builtin.dnf5:
name:
- 'qubes-ctap'

19
roles/sudo-dom0-prompt/tasks/main.yaml
View file

@ -1,46 +1,45 @@
tasks:
- name: Check that the sudo-dom0-prompt exists
- name: Check that the sudo-dom0-prompt exists
stat:
path: '/etc/authselect/custom/sudo-dom0-prompt'
register: stat_result
- name: Create authselect profile
- name: Create authselect profile
shell: authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam
when: not stat_result.stat.exists
- name: Copy authselect file
- name: Copy authselect file
ansible.builtin.copy:
src: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside'
mode: '0644'
- name: Copy authselect folder
- name: Copy authselect folder
ansible.builtin.copy:
src: '/etc/authselect/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt'
mode: '0755'
- name: Copy authselect file
- name: Copy authselect file
ansible.builtin.copy:
src: 'etc/authselect/custom/sudo-dom0-prompt/system-auth'
dest: '/etc/authselect/custom/sudo-dom0-prompt/system-auth'
mode: '0644'
- name: Select authselect profile
- name: Select authselect profile
shell: authselect select custom/sudo-dom0-prompt
- name: Fix sudoers.d
- name: Fix sudoers.d
ansible.builtin.copy:
src: 'etc/sudoers.d/qubes'
dest: '/etc/sudoers.d/qubes'
mode: '0440'
- name: Check that allow all rule doesn't exist
- name: Check that allow all rule doesn't exist
stat:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
register: allow_all_result
- name: Delete allow all rule
- name: Delete allow all rule
ansible.builtin.file:
path: '/etc/polkit-1/rules.d/00-qubes-allow-all.rules'
state: 'absent'

9
roles/trivalent/tasks/main.yaml
View file

@ -1,14 +1,13 @@
tasks:
- name: Enable hardened_malloc COPR
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/trivalent -y'
- name: Enable codecs and stuff
- name: Enable codecs and stuff
shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
- name: Update codecs
- name: Update codecs
shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
- name: Install hardened_malloc
- name: Install hardened_malloc
ansible.builtin.dnf5:
name:
- ffmpeg